{"id":816427,"url":"http://patchwork.ozlabs.org/api/patches/816427/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/patch/20170920194818.26403-2-blp@ovn.org/","project":{"id":47,"url":"http://patchwork.ozlabs.org/api/projects/47/?format=json","name":"Open vSwitch","link_name":"openvswitch","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"git@github.com:openvswitch/ovs.git","webscm_url":"https://github.com/openvswitch/ovs","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170920194818.26403-2-blp@ovn.org>","list_archive_url":null,"date":"2017-09-20T19:48:17","name":"[ovs-dev,v3,1/2] ofp-util: Fix buffer overread in ofputil_decode_bundle_add().","commit_ref":null,"pull_url":null,"state":"superseded","archived":false,"hash":"2d3e4b486539a53f806a912c53e6cda5971aa173","submitter":{"id":67603,"url":"http://patchwork.ozlabs.org/api/people/67603/?format=json","name":"Ben Pfaff","email":"blp@ovn.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/openvswitch/patch/20170920194818.26403-2-blp@ovn.org/mbox/","series":[{"id":4215,"url":"http://patchwork.ozlabs.org/api/series/4215/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/list/?series=4215","date":"2017-09-20T19:48:16","name":"Fix memory leaks and overreads in ofp-util","version":3,"mbox":"http://patchwork.ozlabs.org/series/4215/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/816427/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/816427/checks/","tags":{},"related":[],"headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","ovs-dev@mail.linuxfoundation.org"],"Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=openvswitch.org\n\t(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;\n\tenvelope-from=ovs-dev-bounces@openvswitch.org;\n\treceiver=<UNKNOWN>)","Received":["from mail.linuxfoundation.org (mail.linuxfoundation.org\n\t[140.211.169.12])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xy9Ks583Fz9s7v\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 21 Sep 2017 05:49:05 +1000 (AEST)","from mail.linux-foundation.org (localhost [127.0.0.1])\n\tby mail.linuxfoundation.org (Postfix) with ESMTP id E9091B0B;\n\tWed, 20 Sep 2017 19:48:27 +0000 (UTC)","from smtp1.linuxfoundation.org (smtp1.linux-foundation.org\n\t[172.17.192.35])\n\tby mail.linuxfoundation.org (Postfix) with ESMTPS id D796DA49\n\tfor <dev@openvswitch.org>; Wed, 20 Sep 2017 19:48:25 +0000 (UTC)","from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net\n\t[217.70.183.195])\n\tby smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5D5173D4\n\tfor <dev@openvswitch.org>; Wed, 20 Sep 2017 19:48:25 +0000 (UTC)","from sigabrt.benpfaff.org (unknown [208.91.2.3])\n\t(Authenticated sender: blp@ovn.org)\n\tby relay3-d.mail.gandi.net (Postfix) with ESMTPSA id AB7C7A80C2;\n\tWed, 20 Sep 2017 21:48:22 +0200 (CEST)"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.7.6","X-Originating-IP":"208.91.2.3","From":"Ben Pfaff <blp@ovn.org>","To":"dev@openvswitch.org","Date":"Wed, 20 Sep 2017 12:48:17 -0700","Message-Id":"<20170920194818.26403-2-blp@ovn.org>","X-Mailer":"git-send-email 2.10.2","In-Reply-To":"<20170920194818.26403-1-blp@ovn.org>","References":"<20170920194818.26403-1-blp@ovn.org>","X-Spam-Status":"No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW\n\tautolearn=disabled version=3.3.1","X-Spam-Checker-Version":"SpamAssassin 3.3.1 (2010-03-16) on\n\tsmtp1.linux-foundation.org","Cc":"Ben Pfaff <blp@ovn.org>,\n\tBhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>","Subject":"[ovs-dev] [PATCH v3 1/2] ofp-util: Fix buffer overread in\n\tofputil_decode_bundle_add().","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.12","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n\t<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n\t<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"ovs-dev-bounces@openvswitch.org","Errors-To":"ovs-dev-bounces@openvswitch.org"},"content":"A buffer overread of up to 4 bytes was possible given a malformed\nmessage.  The message was discarded following the overread.\n\nFound by libFuzzer.\n\nReported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>\nSigned-off-by: Ben Pfaff <blp@ovn.org>\n---\n lib/ofp-util.c | 3 +++\n 1 file changed, 3 insertions(+)","diff":"diff --git a/lib/ofp-util.c b/lib/ofp-util.c\nindex 86dd5cb61653..e915cb2ab2d7 100644\n--- a/lib/ofp-util.c\n+++ b/lib/ofp-util.c\n@@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh,\n     msg->bundle_id = ntohl(m->bundle_id);\n     msg->flags = ntohs(m->flags);\n \n+    if (b.size < sizeof(struct ofp_header)) {\n+        return OFPERR_OFPBFC_MSG_BAD_LEN;\n+    }\n     msg->msg = b.data;\n     if (msg->msg->version != oh->version) {\n         return OFPERR_OFPBFC_BAD_VERSION;\n","prefixes":["ovs-dev","v3","1/2"]}